Here's How Hackers Stole Over $1 Million From 1,600 StubHub Users

Six individuals in Russia and the United States have been charged with taking part in a broad international hacking scheme that attacked over 1,600 StubHub users’ accounts and fraudulently purchased more than $1 million in tickets.

In March 2013, StubHub discovered that more than 1,000 of its users’ accounts were compromised by hackers who were fraudulently purchasing thousands of tickets using the service. The tickets included Justin Timberlake concerts, expensive seats at Yankee Stadium behind the dugout, orchestra seats and sold-out Broadway shows. The tickets were worth over $1 million in total, law enforcement officials said.

StubHub told law enforcement officials of the breach, prompting a multi-national investigation into the hacking ring. Two Americans have been arrested and a third is expected to turn himself in over the coming days. Police are awaiting the extradition of a Russian national in Spain.

Related

“Today’s law enforcement action reflect the increasingly global landscape in which financial and cybercriminals operate,” said Manhattan District Attorney Cyrus R. Vance, Jr. on Wednesday. “Financial crime is no longer local.”

Vadim Polyakov, the Russian national currently being held in Spain, allegedly hacked StubHub accounts to purchase more than 3,500 tickets. Police say Polyakov sent the tickets to three American fences, who resold them and laundered the profits through Russian nationals and others in London and Toronto.

Police say Gmail chats between two of the Americas, Daniel Petryszyn told Laurence Brinkmeyer, show the Americans knew the tickets had been stolen. “ … This guy [Polyakov] is pretty much admitting he is a hacker,” wrote Petryszyn. “I don’t give a f*** I will launder all the money they want.”

The Americans sent the ticket proceeds to bank accounts controlled by Polyakov and other individuals around the world.

During the months-long international investigation, law enforcement officials scoured the ticket purchases of over 1,000 fraudulent ticket sales, identified them with PayPal accounts and used search warrants to track associated email addresses.

One officer with knowledge of Russian used Facebook messages to discover that Polyakov was taking a vacation in Spain. On July 3rd, Polaykov was tracked to a hotel to a hotel in Barcelona, where Spanish authorities and the U.S. Secret Service arrested him.

StubHub said that customers were refunded for unauthorized transactions, and that customers were assisted in changing their passwords.

The hackers obtained customers’ logins through other sources, StubHub said, not by hacking StubHub’s systems.

“Customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers’ PC,” StubHub said in a statement.

Vance said it was unclear how the hackers originally obtained users’ names and passwords, but the transaction records show there may be others involved in the hacking scheme.

“With cybercrime, it’s very hard to say you’ve got it boxed up entirely,” Vance said. “We’ve got the core actors, though many more may follow elsewhere.”